Implement modifier to set CommonName
Implement modifier which sets CommonName to the certificate if
CommonName is empty and forceCN is set in the config. Replace previous
implementation introduced in 0218018cee
with new modifier.
Closes https://github.com/smallstep/certificates/issues/259
Ref: https://github.com/smallstep/certificates/pull/260#issuecomment-628961322
This commit is contained in:
parent
0218018cee
commit
322200b7db
3 changed files with 27 additions and 7 deletions
|
@ -262,13 +262,6 @@ func (o *order) finalize(db nosql.DB, csr *x509.CertificateRequest, auth SignAut
|
||||||
if csr.Subject.CommonName != "" {
|
if csr.Subject.CommonName != "" {
|
||||||
csr.DNSNames = append(csr.DNSNames, csr.Subject.CommonName)
|
csr.DNSNames = append(csr.DNSNames, csr.Subject.CommonName)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Generate Subject CommonName for supporting `conservative` systems
|
|
||||||
// which does not accept certificates with empty subject
|
|
||||||
if csr.Subject.CommonName == "" && p.(*provisioner.ACME).ForceCN {
|
|
||||||
csr.Subject.CommonName = csr.DNSNames[0]
|
|
||||||
}
|
|
||||||
|
|
||||||
csr.DNSNames = uniqueLowerNames(csr.DNSNames)
|
csr.DNSNames = uniqueLowerNames(csr.DNSNames)
|
||||||
orderNames := make([]string, len(o.Identifiers))
|
orderNames := make([]string, len(o.Identifiers))
|
||||||
for i, n := range o.Identifiers {
|
for i, n := range o.Identifiers {
|
||||||
|
|
|
@ -68,6 +68,7 @@ func (p *ACME) AuthorizeSign(ctx context.Context, token string) ([]SignOption, e
|
||||||
return []SignOption{
|
return []SignOption{
|
||||||
// modifiers / withOptions
|
// modifiers / withOptions
|
||||||
newProvisionerExtensionOption(TypeACME, p.Name, ""),
|
newProvisionerExtensionOption(TypeACME, p.Name, ""),
|
||||||
|
newForceCNOption(p.ForceCN),
|
||||||
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
profileDefaultDuration(p.claimer.DefaultTLSCertDuration()),
|
||||||
// validators
|
// validators
|
||||||
defaultPublicKeyValidator{},
|
defaultPublicKeyValidator{},
|
||||||
|
|
|
@ -316,6 +316,32 @@ type stepProvisionerASN1 struct {
|
||||||
KeyValuePairs []string `asn1:"optional,omitempty"`
|
KeyValuePairs []string `asn1:"optional,omitempty"`
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type forceCNOption struct {
|
||||||
|
ForceCN bool
|
||||||
|
}
|
||||||
|
|
||||||
|
func newForceCNOption(forceCN bool) *forceCNOption {
|
||||||
|
return &forceCNOption{forceCN}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (o *forceCNOption) Option(Options) x509util.WithOption {
|
||||||
|
return func(p x509util.Profile) error {
|
||||||
|
if !o.ForceCN {
|
||||||
|
// Forcing CN is disabled, do nothing to certificate
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
crt := p.Subject()
|
||||||
|
if crt.Subject.CommonName == "" {
|
||||||
|
if len(crt.DNSNames) > 0 {
|
||||||
|
crt.Subject.CommonName = crt.DNSNames[0]
|
||||||
|
} else {
|
||||||
|
return errors.New("Cannot force CN, DNSNames is empty")
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
type provisionerExtensionOption struct {
|
type provisionerExtensionOption struct {
|
||||||
Type int
|
Type int
|
||||||
Name string
|
Name string
|
||||||
|
|
Loading…
Reference in a new issue